Back to binalyze.com

Uninstalling AIR responders

There are several ways to uninstall the AIR responder from assets and these include using the AIR console or working on the actual asset.

It is important to understand that you should only remove the agent if you have no intention of revisiting the asset for further investigations. If you do need to do so, then a fresh agent deployment will be needed.

From the Assets button in the Main Menu it is possible to select one or multiple assets and then, via the Bulk Action Bar, choose to either 'Uninstall agent' or to 'Uninstall agent and purge console data'.

It is also possible to uninstall an agent from the individual asset's, Asset Info page by selecting option from the Asset Actions drop down menu:

The 'Uninstall agent' will remove the AIR application from any selected assets.

The 'Uninstall agent and purge console data' option will remove the AIR application from the selected assets and delete the data saved from the assets for the console. All associated Tasks (eg; Timeline) will also be deleted from the console. Data saved to Remote Storage, and locally saved data on the asset will remain intact. interACT or normal asset management tools can be used to remove this data.

Password Protection for AIR Responder Uninstallation

Agent uninstallation through the local OS UI is disabled.

Local users of assets can only uninstall the AIR Agent if they have access to the AIR generated password to do so.

The agent can only be uninstalled using shell commands with the protection password as an argument, locally or remotely (e.g., SCCM).

Uninstallation via the AIR UI or API remains possible without requiring a password.

AIR provides Tamper Detection for the AIR Agent - Your audit logs will record

Uninstalling on Windows assets

Graphical User Interface (GUI) Method

To gracefully uninstall the responder application from your Windows operating system, follow these steps:

  1. Navigate to the Control Panel.

  2. Access the "Add/Remove Programs" feature.

  3. Locate and select the Binalyze AIR Agent application from the list.

  4. Choose the option to uninstall.

Command Prompt Method

You can also uninstall the responderapplication using the command prompt with the following methods:

Using Product Code

To uninstall via the product code, execute the following steps:

  • Identify the product code of the responder using PowerShell:

get-wmiobject Win32_Product | Sort-Object -Property Name | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize

  • Copy the identified product code.

  • Uninstall the Agent using msiexec:

msiexec /x "{84662419-2FEB-48D0-AFBF-C174D871A3CA}"

Using Original MSI File

If you possess the original MSI file of the Agent, you can proceed as follows:

msiexec /x "C:\Users\hio\Downloads\AIR.Agent_2.25.0_air-dev.binalyze.com_44_4ce0820f14f6461a_amd64_.msi"

In either method, you can efficiently uninstall the Agent application from your system.

Uninstalling a Password-Protected responder

To uninstall a password-protected agent, you can specify your uninstall password with the property UNINSTALL_PASSWORD by using the command prompt with the following command:

msiexec /x "{84662419-2FEB-48D0-AFBF-C174D871A3CA}" UNINSTALL_PASSWORD="my-password"

Uninstallation File and Directory Cleanup Process

When uninstalling the Binalyze AIR Agent program from a computer, certain files and directories are methodically cleaned up to ensure no residual data remains. All of these files are deleted by the agent before the service is deleted.

  • Utils Directory: The utils binaries located in the agent's installation directory are removed. If the installation directory is C:\Program Files (x86)\Binalyze\AIR\agent, folder can be found in:

    • C:\Program Files (x86)\Binalyze\AIR\agent\utils\

  • Upload Temporary Directory: The directory used for temporary storage of upload files is cleared. This can be found in one of the following paths.

    • C:\Users\[user]\AppData\Local\Temp\BinalyzeUploadTemp

    • C:\Windows\TEMP\BinalyzeUploadTemp

  • Update Temporary Directory: The directory used for temporary storage of update files is cleared. This file can be found in one of the following paths.

    • C:\Users\[user]\AppData\Local\Temp\BinalyzeUpdateTemp

    • C:\Windows\TEMP\BinalyzeUpdateTemp

  • Update Task Download Directory: The directory used for downloading MSI binaries, If the windows system directory is C:\, the path can be found as follows.

    • C:\BinalyzeUpdateTemp

  • Binalyze Temp Directories: If the temp location is C:\Windows\TEMP\, the paths can be found as follows.

    • C:\Windows\TEMP\Binalyze

    • C:\Windows\TEMP\BinalyzeTemp

On Windows systems, the program selects the first non-empty value from the environmental variables %TMP%, %TEMP%, %USERPROFILE%, or the Windows directory for temporary storage.

Uninstalling on Linux assets

On Ubuntu and Debian

  1. Open a terminal window.

  2. To uninstall the binalyze-air-agent package, use the following command:

    sudo apt remove binalyze-air-agent

    This command will uninstall the package.

On CentOS, Fedora, Redhat and similar distributions (using dnf)

  1. Open a terminal window.

  2. To uninstall the binalyze-air-agent package, run the following command:

    sudo dnf remove binalyze-air-agent

    This command will uninstall the package.

Uninstallation File and Directory Cleanup Process

When uninstalling the binalyze-air-agent program from a computer, certain files and directories are methodically cleaned up to ensure no residual data remains.

  • Drone Config File: Drone config file located in the agent’s installation directory. If the installation directory is /opt/binalyze/air/agent, file can be found in:

    • /opt/binalyze/air/agent/DRONE.Config.yml

  • Utils Directory: The utils binaries located in the agent's installation directory are removed before the uninstallation of the service. If the installation directory is /opt/binalyze/air/agent, folder can be found in:

    • /opt/binalyze/air/agent/utils

  • Upload Temporary Directory: The directory used for temporary storage of upload files are cleared. This folder can be found as follows.

    • /var/lib/binalyze/BinalyzeUploadTemp

  • Update Temporary Directory: The directory used for temporary storage of update files are cleared. This folder can be found as follows.

    • /var/lib/binalyze/BinalyzeUpdateTemp

  • Update Task Download Directory: The directory used for downloading deb or rpm binaries, If the Linux temp directory is /tmp, the folder can be found as follows.

    • /tmp/BinalyzeUpdateTemp

  • Binalyze Temp Directories: If the temp location is /tmp, the folders can be found as follows.

    • /tmp/Binalyze

    • /tmp/BinalyzeTemp

  • Persistent Folder: The persistent folder can be found in:

    • /var/lib/binalyze

  • Config File: Config file located in the agent’s installation directory. After deleting the agent, the configuration file is deleted. If the installation directory is /opt/binalyze/air/agent, file can be found in:

    • /opt/binalyze/air/agent/config.yml

On Linux systems, it returns $TMPDIR if non-empty, else /tmp.

Uninstalling on macOS assets

To initiate the uninstallation process for the Agent via the Terminal on macOS, execute the following command:

sudo /opt/binalyze/air/agent/air --uninstall

This command, executed within the Terminal, will seamlessly guide you through the removal of the Agent application from your macOS system.

Uninstalling a Password-Protected Agent

To uninstall a password-protected agent, you can specify your uninstall password with the environment variable AIR_UNINSTALL_PASSWORD by using the command prompt with the following command:

AIR_UNINSTALL_PASSWORD="my-password" sudo -E /opt/binalyze/air/agent/air --uninstall

Uninstallation File and Directory Cleanup Process

When uninstalling the com.binalyze.air-agent program from a computer, certain files and directories are methodically cleaned up to ensure no residual data remains. All of these files are deleted by the agent after the package info is deleted.

  • Utils Directory: The utils binaries located in the agent's installation directory are removed before the uninstallation of the service. If the installation directory is /opt/binalyze/air/agent, folder can be found in:

    • /opt/binalyze/air/agent/utils

  • Binaries: If the installation directory is /opt/binalyze/air/agent, these files located in:

    • /opt/binalyze/air/agent/air

    • /opt/binalyze/air/agent/tactical

    • /opt/binalyze/air/agent/drone

  • Config File: This file located in the agent’s installation directory. If the installation directory is /opt/binalyze/air/agent, file can be found in:

    • /opt/binalyze/air/agent/config.yml

  • Drone Config File: This file located in the agent’s installation directory. If the installation directory is /opt/binalyze/air/agent, file can be found in:

    • /opt/binalyze/air/agent/DRONE.Config.yml

  • Service File: This file can be found in:

    • /Library/LaunchDaemons/com.binalyze.air-agent.plist

  • Upload Temporary Directory: The directory used for temporary storage of upload files are cleared. This folder can be found as follows.

    • /var/lib/binalyze/BinalyzeUploadTemp

  • Update Temporary Directory: The directory used for temporary storage of update files are cleared. This folder can be found as follows.

    • /var/lib/binalyze/BinalyzeUpdateTemp

  • Update Task Download Directory: The directory used for downloading pkg binaries, If unix temp directory is /tmp, the folder can be found as follows.

    • /tmp/BinalyzeUpdateTemp

  • Binalyze Temp Directories: If the temp location is /tmp, the folders can be found as follows.

    • /tmp/Binalyze

    • /tmp/BinalyzeTemp

  • Persistent Folder: The persistent folder can be found in:

    • /var/lib/binalyze

On Unix systems, it returns $TMPDIR if non-empty, else /tmp.

PreviousGolden ImageNextAIR SSL Enforcement

Last updated